fix vps, maddy, everything works

8 files changed, 133 insertions, 40 deletions

diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index 35944e0..0845cea 100644
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -24,6 +24,9 @@
     ./docker.nix
     ./impermanence.nix
     ./coturn.nix
+    ./maddy.nix
+    ./ntfy-sh.nix
+    ./fail2ban.nix
   ];
 
   environment.etc."wpa_supplicant.conf".text = ''
@@ -206,38 +209,38 @@ country=CA
         powersave = false;
       };
       ensureProfiles = {
-        # profiles = {
-        #   home-wifi = {
-        #     connection = {
-        #       id = "TELUS6572";
-        #       permissions = "";
-        #       type = "wifi";
-        #     };
-        #     ipv4 = {
-        #       dns-search = "";
-        #       method = "auto";
-        #     };
-        #     ipv6 = {
-        #       addr-gen-mode = "stable-privacy";
-        #       dns-search = "";
-        #       method = "auto";
-        #     };
-        #     wifi = {
-        #       mac-address-blacklist = "";
-        #       mode = "infrastructure";
-        #       ssid = "TELUS6572";
-        #     };
-        #     wifi-security = {
-        #       auth-alg = "open";
-        #       key-mgmt = "wpa-psk";
-        #       # when someone actually steals my internet then I will be concerned.
-        #       # This password only matters if you actually show up to my house in real life.
-        #       # That would perhaps allow for some nasty networking related shenanigans.
-        #       # I guess we'll cross that bridge when I get there.
-        #       psk = "b4xnrv6cG6GX";
-        #     };
-        #   };
-        # };
+        profiles = {
+          home-wifi = {
+            connection = {
+              id = "TELUS6572";
+              permissions = "";
+              type = "wifi";
+            };
+            ipv4 = {
+              dns-search = "";
+              method = "auto";
+            };
+            ipv6 = {
+              addr-gen-mode = "stable-privacy";
+              dns-search = "";
+              method = "auto";
+            };
+            wifi = {
+              mac-address-blacklist = "";
+              mode = "infrastructure";
+              ssid = "TELUS6572";
+            };
+            wifi-security = {
+              auth-alg = "open";
+              key-mgmt = "wpa-psk";
+              # when someone actually steals my internet then I will be concerned.
+              # This password only matters if you actually show up to my house in real life.
+              # That would perhaps allow for some nasty networking related shenanigans.
+              # I guess we'll cross that bridge when I get there.
+              psk = "b4xnrv6cG6GX";
+            };
+          };
+        };
       };
     };
     firewall = {
@@ -370,6 +373,7 @@ country=CA
     vim
     curl
     nmap
+    exiftool
     (writeShellScriptBin "new-repo"
       ''
   #!/bin/bash
@@ -388,12 +392,31 @@ country=CA
   users.groups.conduit = lib.mkDefault {};
   users.groups.livekit = lib.mkDefault {};
   users.groups.matterbridge = lib.mkDefault {};
+  users.groups.maddy = lib.mkDefault {};
+  users.groups.ntfy-sh = lib.mkDefault {};
 
   users.users = {
+    conduit = {
+      isSystemUser = lib.mkDefault true;
+      group = "conduit";
+    };
     matterbridge = {
       isSystemUser = lib.mkDefault true;
       group = "matterbridge";
     };
+
+    maddy = {
+      isSystemUser = lib.mkDefault true;
+      group = "maddy";
+      extraGroups = [ "acme" "nginx" ];
+    };
+
+    ntfy-sh = {
+      isSystemUser = lib.mkDefault true;
+      group = "ntfy-sh";
+      extraGroups = [ "acme" "nginx" ];
+    };
+
     ngircd = {
       isSystemUser = lib.mkDefault true;
       group = "ngircd";
diff --git a/nix/modules/fail2ban.nix b/nix/modules/fail2ban.nix
new file mode 100644
index 0000000..5d289a0
--- /dev/null
+++ b/nix/modules/fail2ban.nix
@@ -0,0 +1,11 @@
+{ lib, config, ... }:
+{
+  services.fail2ban = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    # Ban IP after 5 failures for 1 hour
+    maxretry = 5;
+    bantime = "1h";
+    banaction = "iptables-allports";
+    banaction-allports = "iptables-allports";
+  };
+}
diff --git a/nix/modules/gitweb.nix b/nix/modules/gitweb.nix
index c98e4c6..69cb951 100644
--- a/nix/modules/gitweb.nix
+++ b/nix/modules/gitweb.nix
@@ -5,6 +5,8 @@
     projectroot = "/srv/git/";
     extraConfig = ''
 our $export_ok = "git-daemon-export-ok";
+our $site_name = "NullRing Git Server";
+our $site_header = "NullRing Projects";
 '';
   };
 }
diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix
index 356a0fe..55e16fc 100644
--- a/nix/modules/home/user.nix
+++ b/nix/modules/home/user.nix
@@ -45,7 +45,7 @@
 
       # Apps
       # octaveFull
-      vesktop grim swww vim kotatogram-desktop tg qwen-code element-desktop jami
+      vesktop grim swww vim kotatogram-desktop tg qwen-code element-desktop thunderbird jami
 
       # Sound/media
       pavucontrol alsa-utils imagemagick ffmpeg helvum
diff --git a/nix/modules/maddy.nix b/nix/modules/maddy.nix
index ab98f87..42f24f9 100644
--- a/nix/modules/maddy.nix
+++ b/nix/modules/maddy.nix
@@ -3,9 +3,14 @@
   services.maddy = {
     enable = lib.mkDefault config.monorepo.profiles.server.enable;
     openFirewall = true;
-    hostName = "${config.monorepo.vars.remoteHost}";
+    hostname = "${config.monorepo.vars.orgHost}";
     primaryDomain = "mail.${config.monorepo.vars.orgHost}";
+    localDomains = [
+      "$(primary_domain)"
+      "${config.monorepo.vars.orgHost}"
+    ];
     tls = {
+      loader = "file";
       certificates = [
         {
           keyPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/key.pem";
@@ -16,14 +21,12 @@
     config = builtins.replaceStrings [
       "imap tcp://0.0.0.0:143"
       "submission tcp://0.0.0.0:587"
-      "smtp tcp://0.0.0.0:25"
     ] [
       "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
       "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
-      "smtps tls://0.0.0.0:465 smtp tcp://0.0.0.0:25"
     ] options.services.maddy.config.default;
     ensureCredentials = {
-      "${config.monorepo.vars.userName}@localhost" = {
+      "${config.monorepo.vars.internetName}@${config.monorepo.vars.orgHost}" = {
         passwordFile = "/run/secrets/mail_password";
       };
     };
diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix
index a3c079b..87f11c1 100644
--- a/nix/modules/nginx.nix
+++ b/nix/modules/nginx.nix
@@ -143,6 +143,16 @@
         };
       };
 
+      "ntfy.${config.monorepo.vars.remoteHost}" = {
+        serverName = "ntfy.${config.monorepo.vars.remoteHost}";
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:2586";
+          proxyWebsockets = true;
+        };
+      };
+
 	    "${config.monorepo.vars.remoteHost}" = {
         serverName = "${config.monorepo.vars.remoteHost}";
         serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ];
diff --git a/nix/modules/ntfy-sh.nix b/nix/modules/ntfy-sh.nix
index 9311af2..0eeac78 100644
--- a/nix/modules/ntfy-sh.nix
+++ b/nix/modules/ntfy-sh.nix
@@ -1,12 +1,48 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
 {
   services.ntfy-sh = {
-#    enable = lib.mkDefault config.monorepo.profiles.server.enable;
-    enable = false;
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
     settings = {
       base-url = "https://ntfy.${config.monorepo.vars.remoteHost}";
       listen-http = "127.0.0.1:2586";
       envrionmentFile = "/run/secrets/ntfy";
+      auth-file = "/var/lib/ntfy-sh/user.db";
+      auth-default-access = "deny-all";
+      enable-login = true;
     };
   };
+  systemd.services.ntfy-sh = {
+    serviceConfig = {
+      EnvironmentFile = "/run/secrets/ntfy";
+    };
+    postStart = lib.mkForce ''
+      # 1. Wait for the server to initialize the database
+      echo "Waiting for ntfy auth database to appear..."
+      TIMEOUT=30
+      while [ ! -f /var/lib/ntfy-sh/user.db ]; do
+        sleep 1
+        TIMEOUT=$((TIMEOUT-1))
+        if [ $TIMEOUT -le 0 ]; then
+          echo "Timed out waiting for database creation!"
+          exit 1
+        fi
+      done
+      
+      echo "Database found. Configuring admin user..."
+
+      # 2. Define the username
+      ADMIN_USER="ret2pop"
+
+      # 3. Check if user exists, create if missing
+      # We pipe the password twice because 'ntfy user add' asks for confirmation
+      if ! ${pkgs.ntfy-sh}/bin/ntfy user list | grep -q "$ADMIN_USER"; then
+        echo "Creating admin user $ADMIN_USER..."
+        printf "$ADMIN_PASSWORD\n$ADMIN_PASSWORD" | \
+          ${pkgs.ntfy-sh}/bin/ntfy user add --role=admin "$ADMIN_USER"
+        echo "User created."
+      else
+        echo "Admin user already exists."
+      fi
+    '';
+  };
 }
diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix
index d1c711c..f7deb5d 100644
--- a/nix/modules/secrets.nix
+++ b/nix/modules/secrets.nix
@@ -87,6 +87,10 @@ channel="-5290629325"
       livekit = {
         format = "yaml";
       };
+      mail_password = {
+        format = "yaml";
+        owner = "maddy";
+      };
       conduit_secrets = {
         format = "yaml";
       };
@@ -99,6 +103,10 @@ channel="-5290629325"
       discord_token = {
         format = "yaml";
       };
+      ntfy = {
+        format = "yaml";
+        owner = "ntfy-sh";
+      };
     };
   };
 }